dcsimg

EMA Says IT Risk Control Breakdowns the &aposNumber One Factor&apos in Societe Generale Losses

BOULDER, Colo., March 5 /PRNewswire/ -- The Societe Generale case highlights the critical dependency of business risk control on IT risk management, says Scott Crawford, research director for security and risk management at Enterprise Management Associates (EMA). Many enterprises either do not see this dependency, don't understand it, or turn a blind eye to its implications. According to EMA analysis, the root cause of the scandal stemmed from Jerome Kerviel's alleged ability to thwart both business and IT risk controls, making it clear that it's time for both business and IT risk managers to get smart about business risk in IT.

BOULDER, Colo., March 5 /PRNewswire/ — The Societe Generale case highlights the critical dependency of business risk control on IT risk management, says Scott Crawford, research director for security and risk management at Enterprise Management Associates (EMA). Many enterprises either do not see this dependency, don't understand it, or turn a blind eye to its implications. According to EMA analysis, the root cause of the scandal stemmed from Jerome Kerviel's alleged ability to thwart both business and IT risk controls, making it clear that it's time for both business and IT risk managers to get smart about business risk in IT.

"Many executives see the management of risk in IT as a secondary issue in business risk management, particularly when compared to a global credit crisis that today seems to be risk management job number one," says Crawford. "Tell that to Societe Generale, where at its worst the alleged scale of fraud was greater than the GNP of Kuwait."

Today, business and IT risk managers need to work together to develop a strategy for identifying business risk and risk control in IT. Crawford believes IT risk managers have wasted too much effort in trying to speak "pidgin risk management" to business professionals in an attempt to make their case in terms the business can understand. This has only deepened many executives' wariness of IT risk management as the domain of technologists who don't really understand the business or business risk.

Crawford says a more pragmatic approach is called for to educate business executives on the practical aspects of IT risk control, and then measuring IT risk management accordingly. In his EMA Advisory Note — Wake Up, Risk Managers: Societe Generale Highlights the Critical Dependency of Business Risk Control on IT (http://www.emausa.com/research/ema_product.php?product=4500_1564), Crawford identifies areas in the Societe Generale case where business risk managers can learn how to identify potential business risk in IT such as IT risk control architecture and entitlement, privilege and event management.

At the same time, IT risk professionals must help the business better understand IT risk management. Says Crawford, "IT can be one of the most flexible risk management tools the business has, but technologists must help the business gain a more practical understanding of how business risks can be better identified, understood and managed in IT. This fosters credibility and better rapport with the business — which, in turn, helps build support for more effective IT risk management.

"Of course, for such a strategy to be effective, both business and IT need to take a more mature approach to risk itself," Crawford adds. "The dilemma for executives is how to balance risk with safety — particularly when greater profitability may be linked to taking on greater risk. When times are booming, executives may feel compelled to take on greater risk just to compete, but the boom-and-bust cycles of the last decade should be illustration enough that the time to pay the piper comes sooner or later."

Crawford foresees an even greater risk in today's up-and-coming generation of business professionals. Unlike those who have gone before, technology isn't something they have to be taught. It's a generation that has grown up gaming, texting and (virtually) living online, which means that someone like Kerviel, who possesses both technical and business expertise, will become more common. This reinforces the need for risk professionals to match business expertise with insight into how technology poses some of the greatest business risks of all, and how technology can be more effective in controlling and reducing business risk.

Crawford also points out that the history of risk management has always been driven by events. From building codes to aviation safety, disasters and near-disasters have always shaped what is considered at any time to be an "acceptable" level of risk management. "The lessons learned from the Societe Generale case can help business risk professionals recognize just how critical information technology is to risk control," he said. "Likewise, technologists must be more aware of how to identify, control and encourage the management of business risks in IT. That way there is something to be gained from what appears to have very nearly been a disaster of historic proportions."

To purchase a copy of Crawford's Advisory Note or for more information on security and risk management research from EMA, please contact Kevin Hecht at khecht@emausa.com or 303.543.9500 x124.

NOTE TO EDITORS:

For more information on this topic or to arrange an interview with Scott Crawford, please contact Guy Murrel at gmurrel@catapultpr-ir.com or 303-581-7760 x17

About Enterprise Management Associates

Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst and consulting firm dedicated to the IT management market. The firm provides IT vendors and enterprise IT professionals with objective insight into the real-world business value of long-established and emerging technologies, ranging from security, storage and IT Service Management (ITSM) to the Configuration Management Database (CMDB), virtualization and service-oriented architecture (SOA). Even with its rapid growth, EMA has never lost sight of the client, and continues to offer personalized support and convenient access to its analysts. For more information on the firm's extensive library of IT management research, free online IT Management Solutions Center and IT consulting offerings, visit http://www.enterprisemanagement.com.

SOURCE Enterprise Management Associates

Comments are closed.